Q&A with Udo Helmbrecht, executive director of ENISA

As we approach Cloud World Forum in London this June Business Cloud News had the opportunity to get a few minutes with one of the conference speakers, Udo Helmbrecht, executive director if the European Union Agency for Network and Information Security (ENISA) to discuss some of the current issues facing the cloud sector.

Q. Can you give me a sense of some of the unique attributes of your business or vertical, and how they shape or impact your IT estate?

ENISA works with a range of stakeholders, from citizens and small businesses to large corporates and member states. We are constantly interacting with our stakeholders across the EU, through social media, video conferencing, group calls, collaborative real-time document editing, mailing lists, et cetera.

Although ENISA doesn’t handle secret documents, we do manage a lot of information which is sensitive. So security of our services, and this includes both confidentiality of data and business continuity, is paramount. At the same time ENISA is small, it is actually one of the the smallest EU agencies and we have limited budget and resources. Balancing the increasing information technology needs with the high information security requirements and the hard budget limitations is challenging. In practice we are constantly looking at ways to make our ICT operations more efficient and more effective. This means we are buying more standard off-the-shelf products, and, where possible, we look at outsourcing and cloud computing for the delivery of our ICT resources. For example, our website and collaboration portals are based on open source products, which are customized, run and maintained by web-development and web-hosting companies. The development of an innovative and competitive EU cloud market will be vital also for us as customers.

Q. What do you think the most disruptive elements of cloud computing and enterprise IT are currently?

Cloud computing continues to change the way customers use information technology. With its Cloud computing strategy, the European Union has placed cloud computing at the center of its Digital Agenda. Cloud computing has the potential to increase innovation and competition, to boost jobs and economic growth, and to reduces the time and money needed for new ICT solutions. At ENISA we focus on cloud security and cloud security has been a hot topic for several years – and even more so in the last months. Because cloud computing is a kind of outsourcing, customers may loose some control over how their ICT is implemented. Many of the security risks associated with cloud computing are related to this potential loss of control. Over the years cloud providers, together with the customers, have developed ways to give customers more control. Many cloud providers now offer dashboards, with monitoring data and controls, service level agreements, detailed contracts specifying the responsibilities of the provider, preferences on data location, and more. This trend will continue.

The recent revelations by Edward Snowden about the NSA’s surveillance activities put the media spotlight on another aspect of cloud security. If customers place all their data in remote datacenters, then how can they know for certain that nobody looks into their files? If datacenters are in foreign countries or operated by foreign providers, how can customers trust that access requests by law enforcement are handled in a way acceptable for them?

At the same time, it is easy to see that cloud computing offers important security opportunities for customers. Imagine the costs of a state-of-the-art datacenter, with 24/7 monitoring and incident response functions, with highly skilled ICT and IT security staff, robust power supply and redundant data connections. For most customers such investments would be far out of reach. Now imagine several of these datacenters, spread across a region, to prevent outages even in the face of natural disasters. The catastrophic earthquake and tsunami at Fukushima Japan of 2011 provided a good practical example of the robustness of cloud computing. In the disaster areas, most legacy ICT failed but the large cloud datacenters were unaffected despite the large scale power cuts. In the direct aftermath of the earthquake, cloud computing was used to coordinate communications between survivors and rescue teams. And in the weeks after the disaster the affected legacy ICT of businesses was migrated to cloud computing datacenters. In the following year the Japanese government made migration to cloud computing a top priority, as a crucial step to improve the resilience of the Japan’s society and economy.

Q. In five years, what do you think your organisation will look like and what kinds of technologies do you think will be needed to support this vision?

In five years certainly ENISA will have much greater ICT needs. In particular we foresee doing more and more with online interaction tools, more with video material, online tutorials and trainings, and virtual face-to-face meetings. At the same time our employees will be even more mobile and become even more ‘road warriors’. In practical terms this means:

– The core of our organisation travel exteensively. To become more effective we will need to complete the transition to full web-based systems to allow a fully hybrid architecture where our employees can work from a desk, from a laptop, or a smartphone, seamlessly.

– Mobility is key for ENISA, because we need to be in contact with the security community. This means we will need to better integrate the different mobile devices with our internal security requirements. We are looking forward to developments in the mobile app market for this. Currently it is still costly for us to develop good interfaces and authentication methods for allowing smartphone use of our intranet applications.

– To be more effective in the current media landscape our content will have become more interactive and it will involve more video material. We are finding out that small and short videos are creating a lot of impact, for example. This inevitably means we will be looking at large datacenters, which are well-connected to the EU’s backbone, to allow all our customers quick and easy access to our content.

Q. What do you think are some of the biggest challenges involved with moving your IT estate over to the cloud?

Cloud computing is a kind of outsourcing. As we all know from the past, in outsourcing, and in ICT outsourcing in particular, the main risk is a lack of governance and control. It requires a different mindset for ICT departments as they are switching from running servers and installing software to managing contracts and monitoring outsourced services. Over the past years, ENISA has focussed most of its work on this aspect: How do you do due-dilligence before procuring a cloud services? What are your security requirements? Which are key service levels to guarantee security of the services? How do you measure and monitor these service levels?

Another important challenge for cloud computing customers is compliance with laws and governance standards, and how to show compliance to third parties. Often laws and governance standards lag behind the uptake of cloud technology, and customers find it hard to adopt cloud computing, because of legal limitations, or because they have difficulty showing compliance to these laws.

Q. What are you most looking forward to a Cloud World Forum this year?

For ENISA it is very important to keep in close contact with the industry. We see ourselves as a bridge between the public and the private sector. Often in our work we try to translate legislation and more high-level policy goals to more practical cost-efficient and cost-effective security solutions. The Cloud World Forum offers an excellent opportunity to engage with industry expert and understand their views on the current issues in cloud computing and their views on the future of cloud security.

In particular, we are looking forward to understand better the pros and cons of information security certification: How can certification speed up procurement? What can be expected from certification, and what not? How can we reconcile the dynamics of cloud systems, which change every week, with the requirements of the static once-per-year compliance checks? What are the needs of cloud providers with regards to certification? How can we incorporate continuous monitoring in the existing information security frameworks?

Software licensing is still causing enterprises grief, according to new research by security firm Gemalto. The biggest pain points and causes of frustration are the inflexibility of licensing arrangements and the unhelpful delivery options.

The UK’s public sector is spending an extra £300 million a year on maintaining cloud services and on hidden costs associated with their cloud computing projects, according to Sungard Availability Services.

Companies that commit themselves to cloud computing are likely to grow faster and enjoy twice the profit of their non-cloud using rivals, according to a study. The research also indicates that the UK is leading Europe in cloud adoption. However, one critic said there is no evidence that cloud computing creates productivity, or is a consequence of it.